Feature request: integrate with Access-Control-Allow-Credentials header

[cfredric]

In the CORS protocol, the Access-Control-Allow-Credentials header is a way for the server to explicitly opt into allowing the browser to send a credentialed request (from a given origin, the one named in the Access-Control-Allow-Origin header).

This is the same as the purpose of the Activate-Storage-Access: retry; allowed-origin="..." header in the SAH protocol; the only difference is that SAH does not require use of the 'cors' request mode.

However, if a user grants the storage-access permission and then sends a CORS-enabled non-simple request that requires credentials, that request will require both a CORS preflight and a subsequent use of the Activate-Storage-Access: retry; ... header.

We could elide the second round trip by allowing the browser to activate the storage-access permission (thereby attaching cookies to the request) after the CORS preflight.

[HeikoTheissen]

Since CORS preflight requests are cached, does this eliminate (or reduce) the need for #22?

[cfredric]

Yeah, I think it reduces the need (but doesn't eliminate it) - assuming the Vary header is set appropriately, I guess. (I'm not an expert on caching, though!)